Brian or Ken-
Nearly everything I have ever read about changing the krbTGT password says you should change it twice if you are in a situation where you have to change it. Would that be pertinent here as well? --bob From: Brian Desmond [mailto:[email protected]] Sent: Thursday, October 01, 2009 7:02 PM To: NT System Admin Issues Subject: RE: krbtgt Account issues Well basically something requested AES256 encryption (a Vista+ client) and there isn't such an encryption type available. That account is supposed to get its password rotated automatically when you go to DFL3 (WS2008). It would appear as though that did not happen (or have you not raised your DFL?). You should just be able to reset the krbtgt password to something of your choosing and be on your merry way. It's possible you may have boxes which need to be bounced after this but this shouldn't happen. Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, October 01, 2009 8:05 PM To: NT System Admin Issues Subject: RE: krbtgt Account issues Hi, You do not need to enable that account. It's only purpose is to provide a password that can be used to derive certain protections applied to TGTs. To be honest - I've never seen this error before, and I'm entirely sure why you're in this situation. After resetting the password, have you given time for the changes to propagate, and also tried purging the tickets of the service in question? Cheers Ken From: Sean Rector [mailto:[email protected]] Sent: Friday, 2 October 2009 1:21 AM To: NT System Admin Issues Subject: krbtgt Account issues I'm getting the event listed below when my BES server tries to do an LDAP lookup. The problem is that while I can reset the krbtgt account's password, it is disabled and cannot be enabled. The Kerberos Key Distribution service runs on the System Account. What's the best method for clearing this problem? Log Name: System Source: Microsoft-Windows-Kerberos-Key-Distribution-Center Date: 10/1/2009 1:05:51 PM Event ID: 14 Task Category: None Level: Error Keywords: Classic User: N/A Computer: VOA-NOR-DC01.vaopera.net Description: While processing an AS request for target service krbtgt/VAOPERA.NET, the account account.adm did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 3). The requested etypes : 18. The accounts available etypes : 23 -133 -128 3 -140. Changing or resetting the password of krbtgt will generate a proper key. Sean Rector, MCSE Information Technology Manager Virginia Opera Association ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
